“`html
A recent open-source application named SilentButDeadly has surfaced, designed to interfere with Endpoint Detection and Response (EDR) and antivirus (AV) programs by disrupting their network interactions.
Created by security analyst Ryan Framiñán, the application utilizes the Windows Filtering Platform (WFP) to establish temporary, bidirectional barriers on EDR cloud links, isolating threats without terminating processes.
His methodology expands upon the 2023 EDRSilencer approach, providing enhanced operational security through dynamic, self-cleansing filters.
The application tackles a significant weakness in contemporary EDR frameworks, which depend largely on cloud-based telemetry for real-time assessments and updates. By obstructing outbound data transmissions and incoming command receptions, SilentButDeadly effectively nullifies remote management and threat intelligence sharing.
In contrast to aggressive evasion techniques that disrupt security functions, it emphasizes discreet network separation, making it suitable for red-team simulations and malware analysis in controlled settings. Framiñán’s implementation guarantees that no persistent artifacts are left behind unless configured to do so, minimizing forensic traces.
SilentButDeadly Execution
The execution of SilentButDeadly progresses through organized phases, commencing with privilege confirmation utilizing Windows APIs like CheckTokenMembership() to validate administrator access. Users are interactively prompted to continue, boosting control.
The core discovery phase examines active processes via CreateToolhelp32Snapshot(), comparing against a predefined list of EDR targets such as SentinelOne’s SentinelAgent.exe and Microsoft Defender’s MsMpEng.exe. Upon identification, it requests complete process paths and initializes WFP with a dynamic session marked by FWPM_SESSION_FLAG_DYNAMIC for automatic cleanup.
Network obstruction is executed at ALE layers: outbound via FWPM_LAYER_ALE_AUTH_CONNECT_V4 and inbound via FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4, employing high-priority weights (0x7FFF) and process-specific AppID conditions.
Filters convert executable paths to WFP blobs using FwpmGetAppIdFromFileName0(), ensuring accurate targeting. After isolation, the application interrupts services by stopping them smoothly and setting startup configurations to SERVICE_DISABLED, preventing restarts. A recap displays affected processes, block counts, and WFP status before optional cleanup eliminates all rules.
Supported targets encompass SentinelOne, Windows Defender, and Defender ATP (MsSense.exe), with expandability through a straightforward array. Command-line options such as –verbose for logging and –persistent for enduring filters enhance adaptability, while robust error management ensures graceful fallbacks.
Security attributes focus solely on legitimate APIs, with no kernel modifications, although it necessitates admin rights. From an operational standpoint, it halts EDR updates, telemetry, and scans, while preserving local detection. Detection risks include WFP event logs (IDs 5441, 5157) and service changes, which can be detected via netsh wfp commands or PowerShell queries.
Framiñán emphasizes ethical use for authorized evaluation, urging defenders to monitor WFP alterations and establish resilient EDR frameworks with local caching.
Accessible on GitHub under loosehose/SilentButDeadly, the application ignites discussions on EDR dependencies, potentially spurring vendor enhancements. As cyber threats develop, such investigations highlight the necessity for balanced architectures that are less reliant on continuous connectivity.
“`